HTTP response schema collection and data classification

[sezen-datadog]

What Does This Do

Motivation

Additional Notes

Contributor Checklist

• Format the title according the contribution guidelines
• Assign the type: and (comp: or inst:) labels in addition to any usefull labels
• Don't use close, fix or any linking keywords when referencing an issue.
  Use solves instead, and assign the PR milestone to the issue
• Update the CODEOWNERS file on source file addition, move, or deletion
• Update the public documentation in case of new configuration flag or behavior

Jira ticket: APPSEC-57259

[pr-commenter]

Benchmarks

Startup

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1749730552	1749736563
git_commit_sha	05d97db	6d9e334
release_version	1.50.0-SNAPSHOT~05d97db941	1.50.0-SNAPSHOT~6d9e334825

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1749739114	1749739114
ci_job_id	978735251	978735251
ci_pipeline_id	67537713	67537713
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-63wmvl1-project-304-concurrent-0-qxwa1d6i 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-63wmvl1-project-304-concurrent-0-qxwa1d6i 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
module	Agent	Agent
parent	None	None
variant	iast	iast

Summary

Found 1 performance improvements and 2 performance regressions! Performance is the same for 55 metrics, 13 unstable metrics.

scenario	Δ mean execution_time	candidate mean execution_time	baseline mean execution_time
scenario:startup:insecure-bank:tracing:AppSec	worse [+2.083ms; +5.803ms] or [+3.689%; +10.278%]	60.404ms	56.461ms
scenario:startup:insecure-bank:tracing:Remote Config	better [-93.332µs; -20.575µs] or [-12.569%; -2.771%]	685.601µs	742.555µs
scenario:startup:petclinic:profiling:AppSec	worse [+4.778ms; +5.910ms] or [+7.717%; +9.546%]	67.252ms	61.908ms

Startup time reports for insecure-bank

gantt
    title insecure-bank - global startup overhead: candidate=1.50.0-SNAPSHOT~6d9e334825, baseline=1.50.0-SNAPSHOT~05d97db941

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.027 s) : 0, 1026515
Total [baseline] (8.534 s) : 0, 8534276
Agent [candidate] (1.028 s) : 0, 1027500
Total [candidate] (8.567 s) : 0, 8566663
section iast
Agent [baseline] (1.15 s) : 0, 1149568
Total [baseline] (9.186 s) : 0, 9186255
Agent [candidate] (1.157 s) : 0, 1156593
Total [candidate] (9.25 s) : 0, 9250358
section iast_HARDCODED_SECRET_DISABLED
Agent [baseline] (1.154 s) : 0, 1154176
Total [baseline] (9.14 s) : 0, 9140076
Agent [candidate] (1.158 s) : 0, 1158346
Total [candidate] (9.251 s) : 0, 9251306
section iast_TELEMETRY_OFF
Agent [baseline] (1.147 s) : 0, 1146591
Total [baseline] (9.255 s) : 0, 9254870
Agent [candidate] (1.155 s) : 0, 1154702
Total [candidate] (9.275 s) : 0, 9274686

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.027 s	-
Agent	iast	1.15 s	123.053 ms (12.0%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.154 s	127.662 ms (12.4%)
Agent	iast_TELEMETRY_OFF	1.147 s	120.076 ms (11.7%)
Total	tracing	8.534 s	-
Total	iast	9.186 s	651.979 ms (7.6%)
Total	iast_HARDCODED_SECRET_DISABLED	9.14 s	605.801 ms (7.1%)
Total	iast_TELEMETRY_OFF	9.255 s	720.594 ms (8.4%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.028 s	-
Agent	iast	1.157 s	129.092 ms (12.6%)
Agent	iast_HARDCODED_SECRET_DISABLED	1.158 s	130.846 ms (12.7%)
Agent	iast_TELEMETRY_OFF	1.155 s	127.202 ms (12.4%)
Total	tracing	8.567 s	-
Total	iast	9.25 s	683.696 ms (8.0%)
Total	iast_HARDCODED_SECRET_DISABLED	9.251 s	684.643 ms (8.0%)
Total	iast_TELEMETRY_OFF	9.275 s	708.023 ms (8.3%)

gantt
    title insecure-bank - break down per module: candidate=1.50.0-SNAPSHOT~6d9e334825, baseline=1.50.0-SNAPSHOT~05d97db941

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (684.131 ms) : 0, 684131
BytebuddyAgent [candidate] (682.438 ms) : 0, 682438
GlobalTracer [baseline] (240.875 ms) : 0, 240875
GlobalTracer [candidate] (240.373 ms) : 0, 240373
AppSec [baseline] (56.461 ms) : 0, 56461
AppSec [candidate] (60.404 ms) : 0, 60404
Debugger [baseline] (6.225 ms) : 0, 6225
Debugger [candidate] (6.236 ms) : 0, 6236
Remote Config [baseline] (742.555 µs) : 0, 743
Remote Config [candidate] (685.601 µs) : 0, 686
Telemetry [baseline] (14.512 ms) : 0, 14512
Telemetry [candidate] (13.816 ms) : 0, 13816
section iast
BytebuddyAgent [baseline] (801.522 ms) : 0, 801522
BytebuddyAgent [candidate] (802.522 ms) : 0, 802522
GlobalTracer [baseline] (230.657 ms) : 0, 230657
GlobalTracer [candidate] (230.658 ms) : 0, 230658
IAST [baseline] (26.777 ms) : 0, 26777
IAST [candidate] (25.65 ms) : 0, 25650
AppSec [baseline] (52.701 ms) : 0, 52701
AppSec [candidate] (59.763 ms) : 0, 59763
Debugger [baseline] (5.934 ms) : 0, 5934
Debugger [candidate] (5.97 ms) : 0, 5970
Remote Config [baseline] (600.649 µs) : 0, 601
Remote Config [candidate] (606.508 µs) : 0, 607
Telemetry [baseline] (7.929 ms) : 0, 7929
Telemetry [candidate] (7.875 ms) : 0, 7875
section iast_HARDCODED_SECRET_DISABLED
BytebuddyAgent [baseline] (805.955 ms) : 0, 805955
BytebuddyAgent [candidate] (802.134 ms) : 0, 802134
GlobalTracer [baseline] (230.375 ms) : 0, 230375
GlobalTracer [candidate] (231.893 ms) : 0, 231893
IAST [baseline] (26.291 ms) : 0, 26291
IAST [candidate] (25.678 ms) : 0, 25678
AppSec [baseline] (53.461 ms) : 0, 53461
AppSec [candidate] (60.414 ms) : 0, 60414
Debugger [baseline] (5.917 ms) : 0, 5917
Debugger [candidate] (6.072 ms) : 0, 6072
Remote Config [baseline] (591.483 µs) : 0, 591
Remote Config [candidate] (605.453 µs) : 0, 605
Telemetry [baseline] (7.896 ms) : 0, 7896
Telemetry [candidate] (8.021 ms) : 0, 8021
section iast_TELEMETRY_OFF
BytebuddyAgent [baseline] (798.48 ms) : 0, 798480
BytebuddyAgent [candidate] (800.61 ms) : 0, 800610
GlobalTracer [baseline] (230.884 ms) : 0, 230884
GlobalTracer [candidate] (231.818 ms) : 0, 231818
IAST [baseline] (25.688 ms) : 0, 25688
IAST [candidate] (30.507 ms) : 0, 30507
AppSec [baseline] (53.687 ms) : 0, 53687
AppSec [candidate] (53.821 ms) : 0, 53821
Debugger [baseline] (5.956 ms) : 0, 5956
Debugger [candidate] (5.987 ms) : 0, 5987
Remote Config [baseline] (592.241 µs) : 0, 592
Remote Config [candidate] (605.282 µs) : 0, 605
Telemetry [baseline] (7.785 ms) : 0, 7785
Telemetry [candidate] (7.936 ms) : 0, 7936

Loading

Startup time reports for petclinic

gantt
    title petclinic - global startup overhead: candidate=1.50.0-SNAPSHOT~6d9e334825, baseline=1.50.0-SNAPSHOT~05d97db941

    dateFormat X
    axisFormat %s
section tracing
Agent [baseline] (1.03 s) : 0, 1029668
Total [baseline] (10.572 s) : 0, 10571713
Agent [candidate] (1.031 s) : 0, 1031478
Total [candidate] (10.582 s) : 0, 10582361
section appsec
Agent [baseline] (1.162 s) : 0, 1162325
Total [baseline] (10.664 s) : 0, 10663889
Agent [candidate] (1.167 s) : 0, 1166632
Total [candidate] (10.689 s) : 0, 10688599
section iast
Agent [baseline] (1.167 s) : 0, 1166540
Total [baseline] (10.857 s) : 0, 10856901
Agent [candidate] (1.173 s) : 0, 1172902
Total [candidate] (10.956 s) : 0, 10955648
section profiling
Agent [baseline] (1.268 s) : 0, 1267876
Total [baseline] (10.933 s) : 0, 10933348
Agent [candidate] (1.281 s) : 0, 1281462
Total [candidate] (10.991 s) : 0, 10990724

Loading

• baseline results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.03 s	-
Agent	appsec	1.162 s	132.657 ms (12.9%)
Agent	iast	1.167 s	136.872 ms (13.3%)
Agent	profiling	1.268 s	238.208 ms (23.1%)
Total	tracing	10.572 s	-
Total	appsec	10.664 s	92.176 ms (0.9%)
Total	iast	10.857 s	285.188 ms (2.7%)
Total	profiling	10.933 s	361.635 ms (3.4%)

• candidate results

Module	Variant	Duration	Δ tracing
Agent	tracing	1.031 s	-
Agent	appsec	1.167 s	135.154 ms (13.1%)
Agent	iast	1.173 s	141.424 ms (13.7%)
Agent	profiling	1.281 s	249.984 ms (24.2%)
Total	tracing	10.582 s	-
Total	appsec	10.689 s	106.237 ms (1.0%)
Total	iast	10.956 s	373.286 ms (3.5%)
Total	profiling	10.991 s	408.362 ms (3.9%)

gantt
    title petclinic - break down per module: candidate=1.50.0-SNAPSHOT~6d9e334825, baseline=1.50.0-SNAPSHOT~05d97db941

    dateFormat X
    axisFormat %s
section tracing
BytebuddyAgent [baseline] (687.256 ms) : 0, 687256
BytebuddyAgent [candidate] (686.095 ms) : 0, 686095
GlobalTracer [baseline] (241.998 ms) : 0, 241998
GlobalTracer [candidate] (240.147 ms) : 0, 240147
AppSec [baseline] (57.456 ms) : 0, 57456
AppSec [candidate] (62.613 ms) : 0, 62613
Debugger [baseline] (6.211 ms) : 0, 6211
Debugger [candidate] (6.194 ms) : 0, 6194
Remote Config [baseline] (741.972 µs) : 0, 742
Remote Config [candidate] (689.428 µs) : 0, 689
Telemetry [baseline] (12.233 ms) : 0, 12233
Telemetry [candidate] (12.067 ms) : 0, 12067
section appsec
BytebuddyAgent [baseline] (700.147 ms) : 0, 700147
BytebuddyAgent [candidate] (702.071 ms) : 0, 702071
GlobalTracer [baseline] (237.376 ms) : 0, 237376
GlobalTracer [candidate] (238.438 ms) : 0, 238438
IAST [baseline] (21.919 ms) : 0, 21919
IAST [candidate] (22.015 ms) : 0, 22015
AppSec [baseline] (176.285 ms) : 0, 176285
AppSec [candidate] (177.112 ms) : 0, 177112
Debugger [baseline] (5.947 ms) : 0, 5947
Debugger [candidate] (5.999 ms) : 0, 5999
Remote Config [baseline] (639.186 µs) : 0, 639
Remote Config [candidate] (625.827 µs) : 0, 626
Telemetry [baseline] (7.357 ms) : 0, 7357
Telemetry [candidate] (7.743 ms) : 0, 7743
section iast
BytebuddyAgent [baseline] (814.496 ms) : 0, 814496
BytebuddyAgent [candidate] (815.483 ms) : 0, 815483
GlobalTracer [baseline] (233.573 ms) : 0, 233573
GlobalTracer [candidate] (233.757 ms) : 0, 233757
IAST [baseline] (27.822 ms) : 0, 27822
IAST [candidate] (28.855 ms) : 0, 28855
AppSec [baseline] (52.09 ms) : 0, 52090
AppSec [candidate] (56.475 ms) : 0, 56475
Debugger [baseline] (6.048 ms) : 0, 6048
Debugger [candidate] (5.96 ms) : 0, 5960
Remote Config [baseline] (601.948 µs) : 0, 602
Remote Config [candidate] (604.519 µs) : 0, 605
Telemetry [baseline] (8.087 ms) : 0, 8087
Telemetry [candidate] (7.967 ms) : 0, 7967
section profiling
BytebuddyAgent [baseline] (675.882 ms) : 0, 675882
BytebuddyAgent [candidate] (681.9 ms) : 0, 681900
GlobalTracer [baseline] (360.183 ms) : 0, 360183
GlobalTracer [candidate] (362.69 ms) : 0, 362690
AppSec [baseline] (61.908 ms) : 0, 61908
AppSec [candidate] (67.252 ms) : 0, 67252
Debugger [baseline] (6.162 ms) : 0, 6162
Debugger [candidate] (6.101 ms) : 0, 6101
Remote Config [baseline] (670.756 µs) : 0, 671
Remote Config [candidate] (638.429 µs) : 0, 638
Telemetry [baseline] (8.269 ms) : 0, 8269
Telemetry [candidate] (8.052 ms) : 0, 8052
ProfilingAgent [baseline] (103.913 ms) : 0, 103913
ProfilingAgent [candidate] (103.556 ms) : 0, 103556
Profiling [baseline] (103.937 ms) : 0, 103937
Profiling [candidate] (103.582 ms) : 0, 103582

Loading

Load

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
end_time	2025-06-12T14:10:34	2025-06-12T14:26:05
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1749730552	1749736563
git_commit_sha	05d97db	6d9e334
release_version	1.50.0-SNAPSHOT~05d97db941	1.50.0-SNAPSHOT~6d9e334825
start_time	2025-06-12T14:10:19	2025-06-12T14:25:50

See matching parameters

	Baseline	Candidate
application	insecure-bank	insecure-bank
ci_job_date	1749739096	1749739096
ci_job_id	978735252	978735252
ci_pipeline_id	67537713	67537713
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-pz8nwqvr-project-304-concurrent-1-gqo91co4 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-pz8nwqvr-project-304-concurrent-1-gqo91co4 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
thresholds_or_results	results	results
variant	iast	iast

Summary

Found 4 performance improvements and 5 performance regressions! Performance is the same for 5 metrics, 16 unstable metrics.

scenario	Δ mean http_req_duration	Δ mean throughput	candidate mean http_req_duration	candidate mean throughput	baseline mean http_req_duration	baseline mean throughput
scenario:load:petclinic:appsec	worse [+620.115µs; +675.770µs] or [+7.748%; +8.443%]	worse [-61.252op/s; -26.661op/s] or [-9.953%; -4.332%]	8.652ms	571.429op/s	8.004ms	615.385op/s
scenario:load:petclinic:appsec_no_iast	better [-7.550ms; -7.510ms] or [-99.865%; -99.328%]	unstable [+6302.088op/s; +24397.099op/s] or [+968.946%; +3751.054%]	0.031ms	16000.000op/s	7.561ms	650.407op/s
scenario:load:petclinic:iast	worse [+872.996µs; +954.541µs] or [+9.824%; +10.742%]	worse [-78.564op/s; -26.312op/s] or [-14.141%; -4.736%]	9.800ms	503.118op/s	8.886ms	555.556op/s
scenario:load:petclinic:no_agent	better [-925.324µs; -877.142µs] or [-10.462%; -9.917%]	better [+44.029op/s; +77.400op/s] or [+7.870%; +13.835%]	7.943ms	620.155op/s	8.845ms	559.441op/s
scenario:load:petclinic:profiling	better [-8.272ms; -8.224ms] or [-99.936%; -99.350%]	unstable [+12289.878op/s; +26516.093op/s] or [+2058.554%; +4441.446%]	0.030ms	20000.000op/s	8.278ms	597.015op/s
scenario:load:petclinic:tracing	worse [+8.647ms; +8.688ms] or [+inf%; +inf%]	unstable [-22978.967op/s; -15878.176op/s] or [-114.895%; -79.391%]	8667550.574ns	571.429op/s	0.000ns	20000.000op/s

Dacapo

Parameters

	Baseline	Candidate
baseline_or_candidate	baseline	candidate
git_branch	master	sezen.leblay/APPSEC-57259-extract-schema-spring
git_commit_date	1749730552	1749736563
git_commit_sha	05d97db	6d9e334
release_version	1.50.0-SNAPSHOT~05d97db941	1.50.0-SNAPSHOT~6d9e334825

See matching parameters

	Baseline	Candidate
application	biojava	biojava
ci_job_date	1749738832	1749738832
ci_job_id	978735253	978735253
ci_pipeline_id	67537713	67537713
cpu_model	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz	Intel(R) Xeon(R) Platinum 8259CL CPU @ 2.50GHz
kernel_version	Linux runner-63wmvl1-project-304-concurrent-1-jl1npz0t 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux	Linux runner-63wmvl1-project-304-concurrent-1-jl1npz0t 6.8.0-1029-aws #31~22.04.1-Ubuntu SMP Thu Apr 24 21:16:18 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
variant	appsec	appsec

Summary

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

Execution time for biojava

gantt
    title biojava - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~6d9e334825, baseline=1.50.0-SNAPSHOT~05d97db941
    dateFormat X
    axisFormat %s
section baseline
no_agent (15.325 s) : 15325000, 15325000
.   : milestone, 15325000,
appsec (14.954 s) : 14954000, 14954000
.   : milestone, 14954000,
iast (18.219 s) : 18219000, 18219000
.   : milestone, 18219000,
iast_GLOBAL (18.029 s) : 18029000, 18029000
.   : milestone, 18029000,
profiling (15.889 s) : 15889000, 15889000
.   : milestone, 15889000,
tracing (14.885 s) : 14885000, 14885000
.   : milestone, 14885000,
section candidate
no_agent (15.356 s) : 15356000, 15356000
.   : milestone, 15356000,
appsec (14.829 s) : 14829000, 14829000
.   : milestone, 14829000,
iast (18.631 s) : 18631000, 18631000
.   : milestone, 18631000,
iast_GLOBAL (17.982 s) : 17982000, 17982000
.   : milestone, 17982000,
profiling (15.329 s) : 15329000, 15329000
.   : milestone, 15329000,
tracing (15.003 s) : 15003000, 15003000
.   : milestone, 15003000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.325 s [15.325 s, 15.325 s]	-
appsec	14.954 s [14.954 s, 14.954 s]	-371.0 ms (-2.4%)
iast	18.219 s [18.219 s, 18.219 s]	2.894 s (18.9%)
iast_GLOBAL	18.029 s [18.029 s, 18.029 s]	2.704 s (17.6%)
profiling	15.889 s [15.889 s, 15.889 s]	564.0 ms (3.7%)
tracing	14.885 s [14.885 s, 14.885 s]	-440.0 ms (-2.9%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	15.356 s [15.356 s, 15.356 s]	-
appsec	14.829 s [14.829 s, 14.829 s]	-527.0 ms (-3.4%)
iast	18.631 s [18.631 s, 18.631 s]	3.275 s (21.3%)
iast_GLOBAL	17.982 s [17.982 s, 17.982 s]	2.626 s (17.1%)
profiling	15.329 s [15.329 s, 15.329 s]	-27.0 ms (-0.2%)
tracing	15.003 s [15.003 s, 15.003 s]	-353.0 ms (-2.3%)

Execution time for tomcat

gantt
    title tomcat - execution time [CI 0.99] : candidate=1.50.0-SNAPSHOT~6d9e334825, baseline=1.50.0-SNAPSHOT~05d97db941
    dateFormat X
    axisFormat %s
section baseline
no_agent (1.477 ms) : 1465, 1488
.   : milestone, 1477,
appsec (2.399 ms) : 2350, 2448
.   : milestone, 2399,
iast (2.191 ms) : 2129, 2252
.   : milestone, 2191,
iast_GLOBAL (2.221 ms) : 2160, 2283
.   : milestone, 2221,
profiling (2.034 ms) : 1984, 2084
.   : milestone, 2034,
tracing (1.992 ms) : 1945, 2040
.   : milestone, 1992,
section candidate
no_agent (1.471 ms) : 1459, 1482
.   : milestone, 1471,
appsec (2.399 ms) : 2350, 2448
.   : milestone, 2399,
iast (2.177 ms) : 2116, 2239
.   : milestone, 2177,
iast_GLOBAL (2.23 ms) : 2168, 2292
.   : milestone, 2230,
profiling (2.04 ms) : 1990, 2090
.   : milestone, 2040,
tracing (2.0 ms) : 1952, 2047
.   : milestone, 2000,

Loading

• baseline results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.477 ms [1.465 ms, 1.488 ms]	-
appsec	2.399 ms [2.35 ms, 2.448 ms]	922.259 µs (62.5%)
iast	2.191 ms [2.129 ms, 2.252 ms]	714.132 µs (48.4%)
iast_GLOBAL	2.221 ms [2.16 ms, 2.283 ms]	744.716 µs (50.4%)
profiling	2.034 ms [1.984 ms, 2.084 ms]	557.164 µs (37.7%)
tracing	1.992 ms [1.945 ms, 2.04 ms]	515.846 µs (34.9%)

• candidate results

Variant	Execution Time [CI 0.99]	Δ no_agent
no_agent	1.471 ms [1.459 ms, 1.482 ms]	-
appsec	2.399 ms [2.35 ms, 2.448 ms]	927.967 µs (63.1%)
iast	2.177 ms [2.116 ms, 2.239 ms]	706.331 µs (48.0%)
iast_GLOBAL	2.23 ms [2.168 ms, 2.292 ms]	759.433 µs (51.6%)
profiling	2.04 ms [1.99 ms, 2.09 ms]	569.111 µs (38.7%)
tracing	2.0 ms [1.952 ms, 2.047 ms]	528.86 µs (36.0%)

[jandro996]

I need to check the RFC properly but AFAIK response body raw doesn't applies to schema collection

[jandro996]

Do we need to do this here? we do this in the request to block if it's necessary.

[jandro996]

As we don't want to collect the response if the request is blocked, maybe it's a good point to check something like AppSecRequestContext#isWafBlocked (only works for waf but we can add another flag for RASP)

[jandro996]

We need to change the ObjectInstrospection#conver to be able to use it for response schema collection

Limits
Currently most libraries enforce a set of limits before serialising addresses into ddwaf_object. The default global object limits are the following:
Maximum string length: 4096 bytes
Maximum container depth: 20 levels
Maximum container size: 256 nodes

The schema extraction algorithm has a different set of limits, which are lower than the limits mentioned above:
Maximum container depth: 18 levels
Maximum array size: 10 nodes
Maximum record size: 255 nodes

When serialising addresses to ddwaf_object which aren’t used for anything other than schema extraction, the library may use the schema extraction limits, rather than the global object limits.

https://docs.google.com/document/d/1965kNw_1CScNM15GgLZ0jvMhFH2kLpDYGztw8YeOfjM/edit?tab=t.0

[jandro996]

I think that we only need the RESPONSE_BODY_CONVERTED

[jandro996]

Same here, I think that we are ok just with RESPONSE_BODY_CONVERTED_ID

[jandro996]

I think we don't need this, as we can pass the response object via callback directly

[jandro996]

we don't need raw response